Re: some questions from F-Secure about DoubleAgent vulnerability

Hi Parham,

Thank you for reaching out to us in our Community with your concerns.

Allow me to address your questions regarding DoubleAgent.

1. We decided not to publish this statement but only provide them when needed because while this Proof-of-Concept provides an interesting academic exercise, it is not a new threat to defenders that prepare themselves with the right information and resources. However you can now find our official statement is quoted below:

Cybellum's publication describes a way of creating a launch point using standard mechanisms present in all modern Windows operating systems. The described methodology requires admin privileges and will work on any process in the system. Cybellum have presented their findings as a way to establish persistence or hide activities such as data exfiltration in processes trusted by standard endpoint protection mechanisms. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack.

Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. To attain this level of compromise, standard endpoint protection mechanisms will have already been bypassed multiple times. Those familiar with the art understand that standard endpoint protection mechanisms are not designed to combat such attacks. This is why we and many other cyber security companies emphasize the importance of endpoint detection and response (EDR) security solutions as a complement to preventative security products. Our own EDR offering is more than capable of detecting such attacks, including the one demonstrated by Cybellum.

Typically, endpoint protection mechanisms do not place limits on what administrators can or cannot do, as that would make the products impractical for everyday use. That is why EDR solutions are designed to flag potentially malicious actions regardless of whether the user appears to have the necessary authorization.

As an ongoing process, we're constantly adding features to our products in order to detect and prevent mechanisms such as the one detailed in this report.

2. The POC does not actually exploit a vulnerability in F-Secure products. It describes a way to maliciously utilize a standard Windows mechanism for performing quality assurance. This method works on any Windows process (not just AV processes). The POC only works in the event the attacker has administrative privileges for the targeted system. That means an attacker would have already compromised the system and elevated their access to a system administrator before executing the POC as described. An attacker with administrative privileges would have enough access to the system to accomplish their objectives without having to resort to this approach, making it impractical to use in actual attack scenarios.

For example, it is easier for attackers to simply uninstall security software (which would expose the system to the highly prevalent types of commodity malware already available to attackers) rather than use it in the way the POC describes.

While this is not a vulnerability in our product or a practical technique for most attackers, we remain committed to providing our customers with the best protection. Our endpoint detection and response solution (Rapid Detection Service) already detects this POC and similar post-breach attacks, and we are adding detections to other products.

I hope this addresses your concerns regarding the published article. Please do not hesitate to reply should you have further concerns. Have a nice day!

Re: some questions from F-Secure about DoubleAgent vulnerability

Hi Parham,

Thank you for reaching out to us in our Community with your concerns.

Allow me to address your questions regarding DoubleAgent.

1. We decided not to publish this statement but only provide them when needed because while this Proof-of-Concept provides an interesting academic exercise, it is not a new threat to defenders that prepare themselves with the right information and resources. However you can now find our official statement is quoted below:

Cybellum's publication describes a way of creating a launch point using standard mechanisms present in all modern Windows operating systems. The described methodology requires admin privileges and will work on any process in the system. Cybellum have presented their findings as a way to establish persistence or hide activities such as data exfiltration in processes trusted by standard endpoint protection mechanisms. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack.

Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. To attain this level of compromise, standard endpoint protection mechanisms will have already been bypassed multiple times. Those familiar with the art understand that standard endpoint protection mechanisms are not designed to combat such attacks. This is why we and many other cyber security companies emphasize the importance of endpoint detection and response (EDR) security solutions as a complement to preventative security products. Our own EDR offering is more than capable of detecting such attacks, including the one demonstrated by Cybellum.

Typically, endpoint protection mechanisms do not place limits on what administrators can or cannot do, as that would make the products impractical for everyday use. That is why EDR solutions are designed to flag potentially malicious actions regardless of whether the user appears to have the necessary authorization.

As an ongoing process, we're constantly adding features to our products in order to detect and prevent mechanisms such as the one detailed in this report.

2. The POC does not actually exploit a vulnerability in F-Secure products. It describes a way to maliciously utilize a standard Windows mechanism for performing quality assurance. This method works on any Windows process (not just AV processes). The POC only works in the event the attacker has administrative privileges for the targeted system. That means an attacker would have already compromised the system and elevated their access to a system administrator before executing the POC as described. An attacker with administrative privileges would have enough access to the system to accomplish their objectives without having to resort to this approach, making it impractical to use in actual attack scenarios.

For example, it is easier for attackers to simply uninstall security software (which would expose the system to the highly prevalent types of commodity malware already available to attackers) rather than use it in the way the POC describes.

While this is not a vulnerability in our product or a practical technique for most attackers, we remain committed to providing our customers with the best protection. Our endpoint detection and response solution (Rapid Detection Service) already detects this POC and similar post-breach attacks, and we are adding detections to other products.

I hope this addresses your concerns regarding the published article. Please do not hesitate to reply should you have further concerns. Have a nice day!